b'U.S. DEPARTMENT OF COMMERCE \n\n          Office of Inspector General \n\n\n\n\n\n                                Bureau of\n                         Economic Analysis\n\n           FY 2008 FISMA Assessment of\n            BEA Estimation Information\n                     Technology System\n                            (BEA-015)\n\n\n  Final Inspection Report No. OSE-19001/September 2008\n\n\n\n\n                             Office of Systems Evaluation\n\x0c                                                                   UNITED STATES DEPARTMENT OF COMMERCE\n                                                                   Office of Inspector General\n                                                                   Washington, D.C. 20230\n\n\n\n\n                                                                 BEP 2 2 2008\nlVlEMORANDUM FOR:\t J. Steven Landefeld\n                              Director\n                              Bureau of Economic Analysis\n                                                       .(\n\n\n                             ~\n                             ?/     \'7       v 1-~\n                                                 -\nFROl\\1:                      Jlldith J. Gordon\n                             i~~ssistanl1nspector   \\Jeneral for .\xc2\xa3A;t..udit and EvaluatIon\n\nSUBjECT:\t                    Bureau of Economic Analysis\n                             FY 2008 FISMA Assessment ofBEA Estimation\n                             Information Technology System (BEA-015)\n                             Final Inspection Report No. OSE-19001\n\n\n 1nlS report presents the results of our .rederal1nformation ~ecurity IVlanagement .A.. ct (FISrvll~1)\nreview of the BEA Estimation Information Teclmoiogy System certification and accreditation.\nWe found that while the system security plan provided an adequate basis to conduct the security\ncertification, BEA needs to improve its security control assessments to assure that controls are\nimplemented as intended. We also found that BEA needs to correct its process for tracking and\nreporting security weak.nesses as required by Depmiment policy and OMB\'s FISMA guidance.\nFinally, \\ve performed our o\\vn assessment of selected BEi\\Jo. security controls and found\nwea\xc2\xa5Jiesses in those controls that BEA\'s security certification did not.\n\nIn response to our draft report, llEA With one exception did not specificaiiy indicate whether it\nagreed with our findings and the corrective actions described are not fully responsive to our\nrecommendations. BEA\'s response is summarized in the appropriate sections ofthe report and\nincluded in it entirety as appendix B.\n\n\\XI e request that you provide us \\vith an action plan describing the actions you have taken or plan\nto take ill response to our recon1lllendations within 60 calendar days of the date of this report.\n".....  ..  ..  .. .. .. \xe2\x80\xa2         (\'0"     (\'0..           ..        \xe2\x80\xa2      ....T"\'lo.F""o.   An,. r   ....   \xe2\x80\xa2   ....\n Ine plan snoulCl De In tne Torm or plans or actIon ana mIlestones \\rU.l~:l.&lVISj as requirea oy\nFISMA.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during our evaluation.\nIf you would like to discuss any of the issues raised in this report, please call me at\n(202) 482-2754 or Allen Crawley, Deputy Assistant Inspector General for Systems\nEvaluation at (202) 482-1855.\n\nAttacl\'ul1ent\n\x0ccc:   Suzanne Hilding, Chief Information Officer, U.S. Department of Commerce\n      Brian Callahan, Chief Information Officer, Bureau of Economic Analysis\n\x0c                                   OIG FY 2008 FISMA Assessment\n\n\n    Listing of Abbreviated Terms & Acronyms\n\n    BEA                                Bureau of Economic Analysis \n\n    BEA-EITS                           BEA-Estimation Information Technology System \n\n    C&A                                Certification and Accreditation \n\n    CIO                                Chief Information Officer \n\n    DISA                               Defense Information Systems Agency \n\n    DOC                                Department of Commerce \n\n    FISMA                              Federal Information Security Management Act of 2002 \n\n\n    IT                                 Information Technology \n\n    ITSO                               Information Technology Security Officer \n\n    NIST                               National Institute of Standards and Technology \n\n    OIG                                Office of Inspector General \n\n    OMB                                Office of Management and Budget \n\n    POA&M                              Plan of Action and Milestones \n\n    SSP                                System Security Plan \n\n    ST&E                               Security Test and Evaluation \n\n\n\n\n\xe2\x80\xa2                                                                                                      \xe2\x80\xa2\n\n\n    Synopsis of Findings\n\n      \xe2\x80\xa2\t   System security plan provided an adequate basis to conduct the security certification.\n\n      \xe2\x80\xa2\t   Security certification lacked credible supporting evidence for technical security control\n           assessments.\n\n      \xe2\x80\xa2\t   Vulnerabilities were not included in the security assessment report or identified in\n           POA&Ms.\n\n      \xe2\x80\xa2\t   OIG assessment of selected security controls found significant weaknesses not\n           identified by the BEA security certification.\n\n    Conclusions\n\n      \xe2\x80\xa2\t   BEA needs to improve security control assessments to assure that controls are\n           implemented correctly, operating as intended, and meeting the security requirements\n           for the system.\n\n      \xe2\x80\xa2\t   The bureau should correct its process for tracking security weaknesses in POA&Ms\n           as required by Department policy and FISMA guidance.\n\n\n\n\n                                                Page 2\n\x0c                                  OIG FY 2008 FISMA Assessment\n\n\nSummary of BEA Response\n\nBEA\xe2\x80\x99s response to our draft report included a memorandum from the director with a brief\ndiscussion of each finding and a memorandum from the CIO describing actions taken since our\nreview, discussion of some of the issues we found, and a table of action items addressing each of\nour recommendations.\n\nThe CIO described actions completed since our review ended: the agency has improved its\ncontinuous monitoring program, with the system\xe2\x80\x99s authorizing official reviewing results; had\nindependent contractors perform a network penetration test; and developed a secure\nconfiguration standard for Windows       servers after implementing the federal desktop core\nconfiguration for its Windows   desktops.\n\nIn regard to BEA\xe2\x80\x99s work developing secure configuration standards, the CIO described its risk-\nbased approach for implementing the standards on system components. The bureau, intending to\nconfigure its most valuable assets first and minimize disruption to its core processes of producing\nstatistics, is only now configuring its less sensitive servers. The risk-based approach was said to\nbe \xe2\x80\x9creflected in the [OIG] report where it is noted that some servers did not conform to our\nstandard.\xe2\x80\x9d The need for completing this work has now been added to the system POA&M in line\nwith one of our recommendations.\n\nThe CIO also makes the point that BEA is a small operating unit and depends on private\ncontractors to provide independent security control assessments. While BEA exercised care in its\nselection, the contractors \xe2\x80\x9chave not met the documentation expectations of the OIG.\xe2\x80\x9d\n\nThe portions of the response applicable to our specific findings are described in the body of this\nreport along with OIG comments. The bureau\xe2\x80\x99s response is included in its entirety as appendix B.\n\nOIG Comments\n\nBEA did not specifically indicate whether it agreed with our findings (with one exception), and the\ncorrective actions described are not fully responsive to our recommendations. The bureau did\nindicate its intention to use our recommendations to improve BEA information security.\n\nIn its response, BEA appears to view the deficiencies we identified as primarily a documentation\nissue. We disagree. We attribute our finding on the lack credible supporting evidence for technical\nsecurity control assessments to the inadequacy of the assessments themselves. This is\nsupported by OIG\xe2\x80\x99s assessment of controls, which while limited, found significant deficiencies in\ncritical components.\n\nBEA\xe2\x80\x99s risk-based approach to implementing secure configuration settings was described in the\nstatus of action items addressing two of our recommendations. In both cases, the discussion is\nnot responsive to our recommendations (see OIG comments in body of report). While a risk-\nbased approach may be entirely appropriate, we disagree with BEA\xe2\x80\x99s assertion that it explains\nwhy we found insecure settings in the components we assessed. Some security control\ndeficiencies were present in a certain subset of (noncritical) servers, but many secure\nconfiguration settings were missing across the full spectrum of components we examined,\nincluding components that process sensitive core data. BEA\xe2\x80\x99s own secure configuration standard\nfor Windows showed that many settings had not yet been implemented in its two main network\ndomains, and made no distinction between more and less valuable assets in those domains.\nHowever, BEA\xe2\x80\x99s C&A process did not raise this as a risk or add appropriate actions to the\nsystem\xe2\x80\x99s POA&M.\n\n\n\n                                              Page 3\n\x0c                                   OIG FY 2008 FISMA Assessment\n\n\nIntroduction\n BEA-015, BEA Estimation Information Technology System (BEA-EITS), encompasses all of BEA\xe2\x80\x99s\n information technology in support of its mission to promote a better understanding of the U.S.\n economy by providing the most timely, relevant, and accurate economic accounts data in an\n objective and cost-effective manner. The bureau, \xe2\x80\x9cproduces some of the most closely watched U.S.\n economic statistics that influence critical financial decisions made by governments, businesses, and\n households.\xe2\x80\x9d1 BEA-EITS is utilized in BEA\xe2\x80\x99s core business processes: data collection; analysis,\n tabulation, and estimation; and data dissemination.\n\n BEA has categorized BEA-EITS                    mpact system, which means a security breach\n could be expected to                         effect on organizational operations and assets, or\n individuals.\n\n The system is made up of a LAN infrastructure that includes web and remote access segments\n among others. Network components (primarily Cisco firewalls, routers, and switches) regulate the\n flow of internal and external communications. Windows servers process BEA information and\n perform key security services such as identification/authentication and access control. BEA\xe2\x80\x99s\n internal users access the system via Windows workstations and laptops. BEA also provides public\n access to data via the Web. The system has a number of other components (such as remote\n access servers,              servers, storage area network) and applications (e-mail server, desktop\n office automation software, VPN clients, databases, proprietary applications).\n\n\n\n\n 1\n  BEA. Mission, Vision, Values [Online]. www.bea.gov/about/mission.htm (accessed May 30,\n 2008).\n                                               Page 4\n\x0c                                   OIG FY 2008 FISMA Assessment\n\n\n\n Findings and Recommendations\n\n1. System Security Plan Provided an Adequate Basis to Conduct the Security\n   Certification\n\n \xe2\x80\xa2   The system description correctly represented the system components and defined the\n     accreditation boundary.\n       o Component listing was accurate.\n       o System boundaries and interconnections were defined.\n\n \xe2\x80\xa2   In general, the security plan sufficiently addressed all applicable aspects of the required\n     controls.\n       o In the summer of 2006, OIG reviewed this system\xe2\x80\x99s C&A package and found\n           configuration settings (CM-6) for IT products had not been defined. A review of the\n           current CM-6 control description in the security plan showed significant improvement\xe2\x80\x94\n           BEA has defined settings by adapting industry-defined secure configuration settings\n           baselines for significant IT products implemented on the system.\n           \xc2\x83 A weakness we found was that the baseline               (a Microsoft             ) does not\n               describe the rationale for deviating from the DISA benchmark from which BEA\xe2\x80\x99s\n               baseline is derived. In addition,        DISA benchmark used by BEA is now out of\n               date. DISA has published a new, more extensive benchmark.\n\n Recommendations\n\n BEA should\n\n 1.1 document secure configuration baselines with its rationale for deviating from the benchmarks, as\n     appropriate; and\n\n 1.2 update its secure configuration baseline for IIS using the most current DISA benchmark\n     available.\n\n\n\n BEA Response\n\n BEA noted the extensive work the bureau has done in developing the system security plan.. With\n respect to our first recommendation (1.1), BEA described actions it has taken in developing a\n standard configuration for Windows        servers. The bureau explained that it used a risk-based\n approach to implement configuration settings on its more valuable servers first and was currently\n securely configuring servers carrying less sensitive information. BEA indicated that it has updated\n its secure configuration baseline       using the most current DISA benchmark (in response to\n recommendation 1.2).\n\n OIG Comment\n\n We appreciate BEA\xe2\x80\x99s efforts to improve security planning. However, the bureau was not\n responsive to recommendation 1.1 to document secure configuration baselines with appropriate\n rationale. Instead, the response is apparently addressing some aspects of finding 4 below.\n Recommendation 1.2 stemmed from our finding that BEA\xe2\x80\x99s secure baseline             did not\n describe the rationale for defining settings that deviated from DISA-recommended settings. This\n type of documentation is recommended in NIST guidance as a means of recording the tailoring of\n baselines to reflect IT security policy and operational needs, and should be a normal part of\n                                                Page 5\n\x0c                                 OIG FY 2008 FISMA Assessment\n\ndefining all of the system\xe2\x80\x99s secure configuration baselines\xe2\x80\x94including the baseline for Windows\n      servers that BEA is currently revising and its updated baseline      .\n\n\n\n\n                                             Page 6\n\x0c                                   OIG FY 2008 FISMA Assessment\n\n\n\n2. Security Certification Lacked Credible Supporting Evidence for Technical\n   Security Control Assessments\n In FY06, OIG reviewed BEA-EITS\xe2\x80\x99 C&A as part of the annual FISMA evaluation. We identified\n significant weaknesses in the security control assessments, specifically:\n        o Procedures to assess security controls were not applied to all the network components\n            where the controls were required to be implemented.\n        o Assessment results did not provide a basis for evaluating the adequacy of security\n            controls.\n        o Assessments of technical controls were only based on policy review and interview.\n        o Frequently the assessments simply restated the control requirement with no meaningful\n            information about the actual security control implementation or supporting evidence.\n\n The FY07 security certification showed some improvement\xe2\x80\x94in particular, some of the required\n operational and management security control assessments were supported by evidence. However,\n we still found significant control assessment issues that indicate the security certification did not\n credibly identify the remaining vulnerabilities in the system. We focused on assessments that called\n for an examination or test of security controls implemented on system components (technical\n assessments).\n\n \xe2\x80\xa2   Of the 71 technical assessments, 55 cases (77%) lacked supporting evidence or the\n     assessment activity was inappropriate.\n       o 44 technical assessments were not supported by artifacts or other evidence to validate\n           the results. (See table 1 for examples.)\n       o In 11 of the remaining 27 cases, the evidence indicated the assessment activity was\n           inappropriate or incomplete. (See table 2 for examples.)\n\n \xe2\x80\xa2   As in FY06, the certifier\xe2\x80\x99s assessment procedures and results lacked specific information, such\n     as which components were assessed and actual settings examined. (See table 3 for examples.)\n       o Results were typically just restatements of generally worded procedures.\n       o Assessments were either exactly the same as the FY06 assessments or had just minor\n           alterations.\n\n \xe2\x80\xa2   The C&A package included two sets of results, one labeled \xe2\x80\x9ccertifiers results\xe2\x80\x9d and the other\n     \xe2\x80\x9cST&E results.\xe2\x80\x9d The assessment procedures used in both were the same or similar; however,\n     the results were different in several cases. BEA told us that the certifier\xe2\x80\x99s results were the\n     definitive results but also stressed that both assessments should be considered. (See table 4.)\n\n Recommendations\n\n BEA should ensure that\n\n 2.1 all control assessments are supported by credible evidence to validate the assessment results;\n\n 2.2 evidence shows that all applicable aspects of a control and an appropriate sample of\n     components implementing it have been assessed; and\n\n 2.3 assessment procedures and results include specific information about the implementation of\n     the control and the steps taken to assess it.\n\n\n\n\n                                                Page 7\n\x0c                                   OIG FY 2008 FISMA Assessment\n\n\nBEA Response\n\nBEA did not specifically indicate if it agreed with this finding but explained that the private sector\ncontractors who performed the security certification were chosen in large part due to \xe2\x80\x9cpast\nsuccessful performance.\xe2\x80\x9d The bureau indicated that the contractors did not meet \xe2\x80\x9cthe\ndocumentation expectations of the OIG,\xe2\x80\x9d and that \xe2\x80\x9cwhat is considered acceptable documentation\nvaries greatly across agencies.\xe2\x80\x9d\n\nThe bureau described the steps it is taking in its continuous monitoring to address our\nrecommendations. The authorizing official is reviewing control assessments for technical security\ncontrol families as they are completed. The bureau\xe2\x80\x99s CIO indicates that \xe2\x80\x9ctest results are\nthoroughly documented with clear and appropriate artifacts,\xe2\x80\x9d and that BEA \xe2\x80\x9cwould welcome a\nreview of this completed documentation to ensure that it meets OIG expectations.\xe2\x80\x9d The bureau\nemphasized the promptness of its process for reviewing residual risks identified by this testing.\n\nOIG Comments\n\nBEA\xe2\x80\x99s response suggests that the problems we identified were mostly attributable to poor\ndocumentation of testing. On the contrary, we view our findings as evidence of inadequate\nsecurity control assessments. Our own control assessments, documented in finding 4 below,\nsupport this position.\n\nAdequate documentation is the byproduct of comprehensive control assessments required for a\nsecurity certification. Further, such documentation is not an \xe2\x80\x9cOIG expectation.\xe2\x80\x9d The assessment\nprocess described in NIST SP 800-53A, Guide for Assessing the Security Controls in Information\nSystems states, \xe2\x80\x9cSecurity assessments are not about checklists, simple pass-fail results, or\ngenerating paperwork to pass inspections or audits\xe2\x80\xa6\xe2\x80\x9d BEA\xe2\x80\x99s security assessments included\nmuch paperwork but little evidence of tailored and scoped control assessment procedures and\nresults that gave credible confirmation of the status of controls.\n\nWhile BEA attributes the problems to contractor performance, the bureau has the responsibility of\noverseeing the contractors\xe2\x80\x99 work for appropriate quality. Indeed, in our review, BEA staff told us\nthey worked closely with the contractors and reviewed control assessments in real time.\n\nBEA\xe2\x80\x99s response does not describe specific steps it will take to ensure each recommendation is\nimplemented, and instead emphasizes its review process. We reiterate the need for BEA to\nensure that (1) control assessments are supported by credible evidence, (2) all applicable\naspects of a control are assessed on appropriate samples of components, and (3) procedures\nand results include specific information about control implementations.\n\nWith regard to OIG reviewing continuous monitoring control assessments, we have issued a data\ncall for this information and will consider it in our annual FISMA report to OMB.\n\n\n\n\n                                                Page 8\n\x0c                                    OIG FY 2008 FISMA Assessment\n\n\n\n3. Vulnerabilities Were Not Included in the Security Assessment Report or\n   Identified in POA&Ms\n\n \xe2\x80\xa2   Significant vulnerabilities discovered during C&A were not identified in the required security\n     assessment report and vulnerabilities requiring mitigation were not tracked in a POA&M.\n       o Windows configuration vulnerabilities were not described in the security assessment\n            report and are currently being tracked outside the required POA&M process, which\n            prevents mandated oversight by responsible Department and OMB officials.\n            \xc2\x83 BEA is tracking these vulnerabilities, which are unimplemented secure configuration\n                 settings defined in BEA\xe2\x80\x99s Windows Security Standard, through an internal process.\n            \xc2\x83 These vulnerabilities were identified more than 1 year ago, but BEA still has not\n                 scheduled mitigation.\n       o BEA\xe2\x80\x99s CIO told us that he does not consider many of the unimplemented secure\n            configuration settings for Windows to be vulnerabilities, the settings may never be\n            implemented, and the secure configuration baseline may be revised as a result. However,\n            this acceptance of risk was not documented in the C&A package. In addition, OIG\xe2\x80\x99s\n            assessment of controls found that the implementation of secure settings on servers was\n            less complete than BEA\xe2\x80\x99s internal tracking indicates.\n\n Recommendations\n\n BEA should\n\n 3.1 comply with Department policy and guidance in tracking and correcting system security\n     deficiencies;\n\n 3.2 create POA&Ms to address the Windows vulnerabilities described above;\n\n 3.3 explain vulnerabilities in security assessment reports according to guidance found in NIST SP\n     800-37, Guide for the Security Certification and Accreditation of Federal Information Systems;\n     and\n\n 3.4 clearly articulate in the C&A package the vulnerabilities for which the bureau is accepting risk.\n     Unimplemented secure configuration settings should be addressed in the security assessment\n     report as well as the accreditation decision letter. If BEA chooses to redefine its secure\n     baseline, that document should be updated with appropriate risk rationale.\n\n\n\n BEA Response\n\n BEA stated that it carefully tracks security weaknesses, but agreed that it had not done so\n properly through the use of POA&Ms. The bureau indicated that it would be listing on POA&Ms\n vulnerabilities that could not be mitigated quickly. It has recently added items related to secure\n configuration of Windows servers and the standard web browser to its system POA&M.\n\n Security assessment reports are being prepared for technical security controls reviewed in the\n continuous monitoring program. These reports are reviewed by BEA\xe2\x80\x99s authorizing official (the\n CIO) and risk is either accepted or corrective actions prescribed. BEA is redefining its secure\n configuration for Windows        servers and these settings must be thoroughly tested before\n being implemented in its production environment. BEA\xe2\x80\x99s risk-based approach was to implement\n settings in its most valuable assets first and minimize the potential for disruption in its critical\n processes. This approach explains why OIG found some servers did not conform to the BEA\n\n\n                                                 Page 9\n\x0c                                 OIG FY 2008 FISMA Assessment\n\nsecure baseline. A weakness related to completing implementation of secure configurations has\nbeen added to the system POA&M.\n\nOIG Comments\n\nBEA\xe2\x80\x99s corrective actions are generally responsive to our recommendations. However, the bureau\ndid not speak to the portion of recommendation 3.4 that suggests appropriate risk rationale be\nincluded in secure configuration baselines BEA chooses to redefine. A related recommendation in\nfinding one (1.2) was also not addressed by the BEA response, so we are concerned BEA may\nnot adequately define its secure configuration baselines.\n\nThe Windows configuration vulnerabilities referred to in this finding were not limited to less\nsensitive servers. Our finding related to specific settings that according to BEA\xe2\x80\x99s own internal\ntracking had not been implemented in its production and web domains. Together these\ncomponents encompass the vast majority of BEA servers\xe2\x80\x94including those performing the most\ncritical operations referred to in its risk-based approach.\n\n\n\n\n                                             Page 10\n\x0c                                     OIG FY 2008 FISMA Assessment\n\n\n4. OIG Assessment of Selected Security Controls Found Significant\n   Weaknesses Not Identified by the BEA Security Certification\nAs part of the OIG\xe2\x80\x99s FY08 FISMA evaluation of BEA-EITS, we assessed a targeted set of system\ncomponents to determine if selected security controls are properly implemented and whether related\nsystem vulnerabilities were identified by BEA\xe2\x80\x99s security certification. We tailored our procedures to the\nspecific control implementations of BEA-EITS. This tailoring is a necessary part of assessing controls\nadequately and is a crucial component of NIST guidance. The results follow from the steps we took to\nassess the control, include (or reference) our analysis, and cite specific supporting evidence. (See\nappendix C.) The assessments, along with the supporting evidence, are transparent, clearly depicting\nthe status of the controls in order to effectively inform those who manage risk to agency operations,\nagency assets, and individuals.\n\n  \xe2\x80\xa2   We found weaknesses in the technical implementation of security controls that were not\n      identified by the BEA security certification. (See table 5.) Some of our significant findings are as\n      follows:\n        o\n\n\n\n\n  Recommendations\n\n  BEA should ensure that\n\n  4.1 the deficiencies we identified are added to the system\xe2\x80\x99s POA&M and remediated in a timely\n      manner; and\n\n  4.2 control assessments are improved through tailored procedures and well-supported results\n      which provide a transparent view of the status of controls.\n\n\n\n\n                                                 Page 11\n\x0c                                   OIG FY 2008 FISMA Assessment\n\nBEA Response\n\nBEA stated that it continuously monitors the effectiveness of security controls. BEA chose to\ndevote its scarce resources toward its first priority\xe2\x80\x94the protection of critical market-sensitive and\ncompany-confidential data. The bureau stated that it understands the importance of protecting the\nentire system and is expanding the scope of its continuous monitoring program to include all\nsystem components.\n\nThe bureau indicated that most of the items OIG identified in this finding have been remediated\nand those requiring longer term efforts have been added to the system POA&M. It stated that it\ncould not replicate the finding of out-of-date virus signatures and that two issues we identified in\nCisco components were not accurate.\n\nIn response to our recommendation to ensure improved control assessments, BEA reiterated that\nsecurity assessment reports were being prepared for each control family assessed in its\ncontinuous monitoring, the authorizing official accepts risks or prescribes corrective actions, and\nthe system POA&M will include deficiencies that cannot be corrected promptly.\n\nOIG Comments\n\nBEA corrective actions are responsive to our recommendation to add the deficiencies we\nidentified to the system\xe2\x80\x99s POA&M and remediate them in a timely manner. The bureau suggests\nthat most deficiencies have already been corrected and therefore will not be added to the\nPOA&M. In those cases, the remediation should be verified through appropriate control testing\xe2\x80\x94\nwhich can be done as part of the continuous monitoring. With respect to the out-of-date virus\nsignatures, BEA staff and OIG jointly concluded that the signatures had been out-of-date at the\ntime of our testing, but had since been updated and were current as of a meeting held\nimmediately after our exit conference on May 8, 2008. Therefore, it was not a deficiency we\nexpected BEA to add to its POA&M.\n\nBEA was not entirely responsive to our recommendation to ensure that control assessments were\nimproved through tailored procedures and well-supported results (4.2). Rather than addressing\ntailoring of assessment procedures, the bureau emphasized its security assessment reports\n(results) and in response to an earlier recommendation (2.1) indicated that more current\nassessment results from its contractor were thoroughly documented with clear and appropriate\nartifacts.\n\n\n\n\n                                               Page 12\n\x0c                                                   OIG FY 2008 FISMA Assessment\n\n\n\n\nTable 1: Examples of Technical Examinations or Tests Not Supported by Evidence.\n                                         BEA\xe2\x80\x99s C&A Package\nControl     Procedural           Certifier\xe2\x80\x99s Results      ST&E Results            OIG Comments\n\n\n\n\n                                                                                                        \n\n            Step                 (full quotation)         (full quotation)\n\n\n\n\n                                                                       \n\nIA-3             IA-3.1 Examine BEA\xe2\x80\x99s                                             There is no evidence that Nmap was used to assess this\nDevice           records or documents                                             control or even what relation Nmap has to the\nIdentification   and information system                                           implementation of this control. Specific settings examined\nand              configuration settings to                                        are not identified (\xe2\x80\x9cNmap and VPN configurations\xe2\x80\x9d does\nAuthentication   determine if the system                                          not identify which specific settings pertain to Device\n                 uses either shared                                               Identification and Authentication\xe2\x80\x94and it is unlikely that\n                 known information or                                             either would have settings relevant to IA-3).\n                 BEA\xe2\x80\x99s authentication\n                 solution to identify and                                         The statement \xe2\x80\x9ctested an IT system for compliance,\xe2\x80\x9d in\n                 authenticate devices on                                          the ST&E results gives no specifics as to what the test\n                 local and/or wide-area                                           actually consisted of (i.e., how was the test performed?)\n                 networks.                                                        or what components were tested. There are no artifacts\n                                                                                  or other evidence of such a test.\n\n                                                                                  The procedural step (taken from NIST SP 800-53A,\n                                                                                  Second Public Draft) was not tailored for the specific\n                                                                                  control implementations in the system. (For example, the\n                                                                                  assessment did not document which specific settings\n                                                                                  were examined or how they pertain to IA-3 or, what the\n                                                                                  data collection method was.)\n\n                                                                                  Neither set of results reflects the actions called for in the\n                                                                                  procedural step. We also note that the procedural step\n                                                                                  and certifier\xe2\x80\x99s result are the same in the FY06 and FY07\n                                                                                  packages.\n\nSC-14            SC-14.2 Test the publicly                                        There is no evidence that a penetration test took place on\nPublic Access    available information                                            the system. BEA staff told us that no such test took place\nProtections      system by attempting to                                          and could not explain why the certifier claimed one had.\n                 alter protected                                                  The procedural step and certifier\xe2\x80\x99s results are the same\n                 information using a                                              from FY06 to FY07.\n                 public account to\n                 determine if access is                                           ST&E results suggest the need for additional assessment\n                 limited in order to                                              using commercial products to assess the control but\n                 preserve the integrity of                   .                    provide no evidence that the control is in place or that the\n                 the information and the                                          additional assessment was conducted. The statement,\n                 applications.                                                    \xe2\x80\x9cTechnical controls seem to stop this type of activity\xe2\x80\x9d is\n                                                                                  not supported by any specifics or evidence. There is no\n                                                                                  basis for the conclusion: \xe2\x80\x9cLow \xe2\x80\x93 Met all requirements to\n                                                                                  satisfy this control.\xe2\x80\x9d\n\n\n\n\n                                                             Page 13\n\x0c                                                   OIG FY 2008 FISMA Assessment\n\n\n\nTable 1: Examples of Technical Examinations or Tests Not Supported by Evidence.\n                                         BEA\xe2\x80\x99s C&A Package\nControl     Procedural           Certifier\xe2\x80\x99s Results      ST&E Results            OIG Comments\n\n\n\n\n                                                                                                       \n\n            Step                 (full quotation)         (full quotation)\n\n                      \n\nAU-9            AU-9.1 Examine the                                                Certifier\xe2\x80\x99s results do not identify which specific settings\nProtection of   information system                                                were examined or what was specifically found. The\nAudit           configuration to                                                  statement \xe2\x80\x9cAudit logs\xe2\x80\xa6are restricted by file\nInformation     determine if the system                                           permissions\xe2\x80\xa6These are limited to Domain and\n                protects audit                                                    database administrators\xe2\x80\x9d is identical to the security plan\n                information and audit                                             description for this control. There are neither evidence nor\n                tools from unauthorized                                           artifacts that validate what the certifier claimed to have\n                access, modification,                                             examined.\n                and deletion.\n                                                                                  ST&E efforts did not actually follow the procedural step.\n                                                                                  Rather, they rely on document review and state that the\n                                                                                  control should be in place based on system descriptions.\n                                                                                  This was not a valid technical control assessment.\n\n\n\n\n                                                             Page 14\n\x0c                                                         OIG FY 2008 FISMA Assessment\n\n\n\n\nTable 2: Examples of Control Assessments With Inappropriate or Incomplete Evidence.\n\n                 BEA\xe2\x80\x99s C&A Package\nControl          Procedural        Certifier\xe2\x80\x99s Results                                    OIG Comments\n                                                                    Assessment Evidence\n                 Step              (full quotation)\nSA-7             SA-7.5 Test network traffic                                              While there was evidence that some sort of packet\nUser-Installed   on the information system                                                capture was performed, the file only showed five packets,\nSoftware.        to determine if prohibited                                               which is not enough to assert that no unauthorized\n                 software is installed and                                                software is operating on the system.\n                 operational by utilizing a\n                 network packet analyzer.                                                 Neither the results nor the evidence was specific about\n                 (Note: Applications tend to                                              actual procedures employed for the packet capture (such\n                 communicate on known                                                     as at what point on the network the traffic was \xe2\x80\x9csniffed,\xe2\x80\x9d\n                 ports and/or have                                                        whether a filter was used to look for specific protocols,\n                 signature traffic patterns                                               what protocols were observed, etc.).\n                 and common packets.)\nAU-3             AU-3.2 Test the content of                                               There are two logs with time stamps from 5/08/07 but\nContent of       audit records by                                                         neither appear to be Windows event logs as suggested\nAudit Records    attempting to perform                                                    by \xe2\x80\x9csecurity, application, and system\xe2\x80\x9d described in the\n                 actions that are configured                                              results. Besides being in the AU artifacts folder, there is\n                 to generate audit records                                         .      nothing to tie them to this procedure.\n                 to determine if the audit\n                 records capture sufficient                                               The procedural step calls for an event to be generated\n                 information to establish                                                 followed by an examination of the logs to see if the event\n                 what events occurred, the                                                can be reconstructed and identified. It is unclear if the two\n                 sources of the events, and                                               logs are the actual logs used in the test since the\n                 the outcomes of the                                                      procedures do not state what the event was or which\n                 events.                                                                  components were meant to capture the event, and the\n                                                                                          logs were not analyzed. The fact there are logs in the\n                                                                                          certification package that have a time stamp for the same\n                                                                                          day as the procedure is incidental.\nCM-7             CM -7.2 Test the                                                         Actual output from external telnet requests was included\nLeast            information system to                                                    demonstrating that the certifier tested one prohibited\nFunctionality    determine if the identified                                              protocol on one component. However, the assessment\n                 functions, ports, protocols,                                             was not comprehensive.\n                 and services are\n                 prohibited or restricted.                                                Note: The ST&E results state that the assessment was\n                                                                                          done with vulnerability scanning, which would be a more\n                                                                                          complete approach. BEA stated that the certifier\xe2\x80\x99s results\n                                                                                          were definitive and would incorporate the ST&E results.\n                                                                                          However, there was little evidence that the certifier had\n                                                                                          used the ST&E results, as demonstrated by the different\n                                                                                          method the certifier chose to assess the control.\n\n\n\n\n                                                                   Page 15\n\x0c                                                                             OIG FY 2008 FISMA Assessment\n\nTable 3: Examples of Assessment Procedures and Results Without Specific Information.\n\n                     BEA\xe2\x80\x99s Original (FY06)                                                BEA\xe2\x80\x99s FY07 Procedural Step/Result\n                                                                    OIG Comments\nControl              Procedural Step/Result                                               (full quotation, with changes to the   OIG Comments\n                                                                    (in FY06)\n                     (full quotation)                                                     FY06 assessment results in bold)\nAU-9                 AU-9.2 Test the protection of audit                                                                         Assessment results do not provide a basis\nProtection of        information and audit tools from                                                                            for evaluating the adequacy of the security\nAudit                unauthorized access, modification, and                                                                      control. It is unclear what was done to test\nInformation          deletion by attempting to gain                                                                              the control or on which components the\n                     unauthorized access, modify, and delete                                                                     control was assessed.\n                     audit information.\n                                                                                                                                 The only evidence in the certification\n                     Assessment Result:                                                                                          package for this date was a log showing a\n                     The certifier tested the protection of audit                                                                failed logon attempt to a\n                     information and audit tools from                                                                            switch\xe2\x80\x94demonstrating that the system\n                     unauthorized access, modification, and                          .                                           logs failed access attempts. The test did\n                     deletion by attempting to gain                                                                              not address the control requirement that\n                     unauthorized access, modify and delete                                                                      the system protect audit information and\n                     audit information.                                                                                          audit tools from unauthorized access.\n\n                                                                                                                                 BEA audit data, in addition to being stored\n                                                                                                                                 on network devices, is stored on SYSLOG\n                                                                                                                                 servers and Windows components.\nIA-2                 IA-2.3 Test the information system to          A                                                            The assessment does not describe the\n                                                                    \n\n\nUser                 determine if passwords, tokens, or                                                                          specific test(s) performed. While the\n     \n\n\n\n\n\n                                                          \n\n\n\n\n\nIdentification       biometrics meet Level 2, 3, or 4                                                                            results describe generic component\n                \n\n\n\n\n\n                                                      \n\n\n\n\n\nand                  requirements consistent with NIST                                                                           classes and one specific application, there\n    \n\n\n\n\n\n                                                          \n\n\n\n\n\nAuthentication       Special Publication 800-63.                                                                                 is no supporting evidence in the certifier\xe2\x80\x99s\n                 \n\n\n\n\n\n                                                                                                                                 assessment artifacts for IA.\n                     Assessment Result:\n                                          \n\n\n\n\n\n                     The certifier tested the information                                                                        Note: The default domain policy is\n                                                          \n\n\n\n\n\n                     system and has determined that                                                                              included in a separate part of the C&A\n                     passwords, tokens, or meet Level 2, 3, or                                                                   package and includes password policy\n                     4 requirements consistent with NIST                                                                         settings, but this would only work for\n                     Special Publication 800-63.                                                                                 Windows components and is not evidence\n                                                                                                                                 of a test, but instead a configuration\n                                                                                                                                 examination (if in fact the password policy\n                                                                                                                                 was examined).\n\n                                                                                                                                 There is no evidence of\n                                                                                                                                 password settings, application settings, or\n                                                                                                                                       device settings.\n\n\n\nAC-3                 AC-3.2 Examine access control                  Controls were                                                The testing mentioned in the results is not\nAccess               mechanisms to determine if the                 assessed by                                                  detailed to any degree and does not\n\n\n\n\n                                                                                         Page 16\n\x0c                                                               OIG FY 2008 FISMA Assessment\nTable 3: Examples of Assessment Procedures and Results Without Specific Information.\n\n              BEA\xe2\x80\x99s Original (FY06)                                       BEA\xe2\x80\x99s FY07 Procedural Step/Result\n                                                         OIG Comments\nControl       Procedural Step/Result                                      (full quotation, with changes to the   OIG Comments\n                                                         (in FY06)\n              (full quotation)                                            FY06 assessment results in bold)\nEnforcement   information system is configured to                                                                match the procedural step to examine\n              implement the organization\xe2\x80\x99s access                                                                access control mechanisms.\n              control policy.\n                                                                                                                 There is no evidence to support a test or\n              Assessment Result:                                                                                 examination of access control\n                                                                                                                 mechanisms to determine if BEA\xe2\x80\x99s access\n              The certifier examined the BEA IT                                                                  control policy is correctly implemented.\n              Security Plan, BEA Standard Operating                                                              There is some discussion of Active\n              Procedure 50-18A:Network Users                                                                     Directory in the ST&E result. However, the\n              Creation Procedure, BEA Remote                                                                     discussion pertains to password length\n              Access Security Standard, BEA                                                                      (IA-2), not access enforcement. There is\n              Standard Operating Procedure 20.6                                                                  no evidence in the package that the\n              (Revision 3) Employee Accountability                                                               access enforcement mechanisms for\n              Clearance, BEA Standard Operating                                                                  workstations, network devices, databases,\n              Procedure 20.17 (Revision 5): Security                                                             and applications were all examined or\n              Standards and Authorizations, Technical                                                            tested as claimed by the certifier.\n              Requirements to Remote Access to BEA\n              Information Technology Resources, BEA                                                              Specific components tested are not\n              Local Area Network Security Policies,                                                              identified.\n              BEA Standard Operating Procedure 80.2:\n              Password Policy for Information                                                                    There is no additional analysis by the\n              Technology Resources Within the BEA                                                                certification team to identify if it found any\n              Network, BEA IT Remote Access                                                                      deficiencies or the basis for its assertion\n              Security Work Agreement, BEA                                                                       that access control mechanisms \xe2\x80\x9care\n              Configuration Management Policy, BEA\xe2\x80\x99s                                                             configured to implement the BEA access\n              System Change Request Process and                                                                  control policy.\xe2\x80\x9d\n              the DOC IT Security Program Policy and\n              Minimum Implementation Standards\n              (June 2005) chapter 17, section 17.4.\n              Based upon the information obtained by\n              examining the documentation, the\n              certifier has determined that BEA\xe2\x80\x99s\n              access control mechanisms for the\n              information system are configured to\n              implement the BEA access control policy.\n\n\n\n\n                                                                         Page 17\n\x0c                                                                        OIG FY 2008 FISMA Assessment\n\n\n\n\nTable 4: Different Results in Certifier\xe2\x80\x99s and ST&E Assessments.\n\n                    BEA\xe2\x80\x99s C&A Package\n\n\n\n\n                                                \n\n                    Security Plan                                                       ST&E Assessment Results\nControl                                                 Certifier\xe2\x80\x99s Results                                            OIG Comments\n\n\n\n                                     \n\n\n                    Description                                                         (full quotation, staff names\n                                                        (full quotation)\n                    (full quotation)                                                    removed)\n\nAC-14               BEA does not permit access to                                                                      There is no evidence of a test as\n      \n\n\n\n\n\nPermitted           the Local Area Network to                                                                          described in certifier\xe2\x80\x99s results. Since the\nActions Without     perform any actions on the BEA-                                                                    test description lacks specifics, there is\nIdentification or   EITS system without                                                                                little assurance that requirement is met.\nAuthentication      identification or authentication.                                              .\n                                                                                                                       The ST&E results conclude there is no\n                                                                    .                                                  need to test the control. However, simply\n                                                                                                                       prohibiting access to the system in policy\n                                                                                                                       does not verify that there are no accounts\n                                                                                                                       such as guest accounts that do not\n                                                                                                                       require a password. The assessment\n                                                                                                                       should validate this in the control\n                                                                                                                       implementation.\nAC-18               BEA has no internal wireless                                                                       Certifier\xe2\x80\x99s results state: \xe2\x80\x9dBEA does not\nWireless            access points to the BEA                                                                           allow wireless access,\xe2\x80\x9d but the security\nAccess              network, except Blackberry.                                                                        plan describes controls for Blackberry\nRestrictions        BEA\xe2\x80\x99s Enhancement Control                                                                          implementation.\n                    Implementation:\n                    All wireless traffic to and from                                                                   The ST&E asserts                       server\n                    the BES server and the                                                                             configuration settings were examined but\n                    Blackberry handheld devices is                                                                     there is no supporting evidence in the\n                    Triple DES (3DES) encrypted                                                                        package. Since the results do not specify\n                                                                                                                       which specific settings, there is little\n                                                                                                                       assurance the control was properly\n                                                                                                                       assessed.\nAC-2                All BEA accounts have                                                                              The ST&E results found that inactive\nAccount             passwords that expire in 90                                                                        accounts are not automatically disabled.\nManagement          days. While the account is not                                                                     Yet the certifier\xe2\x80\x99s results, which BEA\n                    disabled as required by this                                                                       holds as definitive, state that the system\n                    control, it is effectively made                                                                    does automatically disable inactive\n                    unavailable after 90 days until                                                                    accounts.\n                    an administrator changes the\n                    password.\n\n\n\n\n                                                                                  Page 18\n\x0c                                                                     OIG FY 2008 FISMA Assessment\n\n\n\n\nTable 5: Summary Comparison of Results from OIG Control Assessment and BEA Security Certification.\n\nControl       Control Requirement                       BEA\xe2\x80\x99s Security Assessment Report            OIG Assessment Result (Summary)\n                                                        (SAR)\nAC-2          The organization manages                  BEA SAR states:                             An examination of user accounts on BEA-EITS verified that BEA\nAccount       information system accounts,                                                          is following its procedures for establishing, activating, modifying,\nManagement    including establishing, activating,                                                   disabling, and removing accounts.\n              modifying, reviewing, disabling,\n              and removing accounts. The                                                            Assessments revealed that the BEA system has the tools and\n              organization reviews information                                                      capabilities in place to regularly review accounts but there was no\n              system accounts [Assignment:                                                          evidence to support accounts are reviewed weekly as required by\n              organization-defined frequency, at                                                    BEA policy. (Assessments in the ST&E indicate that it is done\n              least annually].                                                                      monthly rather than weekly as required by policy)\n              Control enhancements:\n              (1) The organization employs                                                          While the security plan states that BEA does not create\n              automated mechanisms to support                                                       temporary or emergency accounts, BEA\xe2\x80\x99s account management\n              the management of information                                                         policy states that temporary accounts are issued to employees\n              system accounts.                                                                      such as interns.\n\n              (2) The information system                                                            As noted in the SAR and SSP the BEA system is not configured\n              automatically terminates                                                              to automatically disable accounts after an organizationally-\n              temporary and emergency                                                               defined period. As a compensating control BEA states that\n              accounts after: Not Applicable.                                                       password expiration will cause the account to be locked until it is\n                                                                                                    reset by an administrator. We assessed the described\n              (3) The information system                                                            compensating control (for enhancement 3) and verified that in\n                                          \n\n\n\n\n\n              automatically disables inactive                                                       fact the user is locked out when the password is expired.\n                                                \n\n\n\n\n\n              accounts after 90 days.\n                                      \n\n\n\n\n\n              (4) The organization employs\n                                              \n\n\n\n\n\n              automated mechanisms to audit\n                                                  \n\n\n\n\n\n              account creation, modification,\n                                                \n\n\n\n\n\n              disabling, and termination actions\n                                                    \n\n\n\n\n\n              and to notify, as required,\n                                         \n\n\n\n\n\n              appropriate individuals.\n                                     \n\n\n\n\n\nAC-3          The information system enforces                                                       A review of security groups for BEA operating divisions revealed\nAccess        assigned authorizations for                                                           that division security groups allow for access enforcement within\nEnforcement   controlling access to the system in                                                   the information system.\n\n\n\n\n                                                                                                                             \n\n              accordance with applicable policy.\n\n                                                                                                    However, a review of three user accounts and their assigned\n                                                                                                    rights showed that one account was not added to the proper\n                                                                                                    security groups according to the user\xe2\x80\x99s account authorization\n                                                                                                    documentation.\n\n\n\n\n                                                                               Page 19\n\x0c                                                                    OIG FY 2008 FISMA Assessment\n\n\n\nTable 5: Summary Comparison of Results from OIG Control Assessment and BEA Security Certification.\n\nControl          Control Requirement                      BEA\xe2\x80\x99s Security Assessment Report         OIG Assessment Result (Summary)\n                                                          (SAR)\nAC-7             The information system enforces a                                                 An assessment of a variety of components implementing this\nUnsuccessful     limit of three consecutive invalid                                                security control indicated that the implementation is not\nLogin Attempts   access attempts by a user during                                                  consistent system-wide and some components are not enforcing\n                 a/n [organization-defined time                                                    authentication policy as required by BEA policy.\n                 period] time period. The\n                 information system automatically                                                  Two of     Windows components were not compliant with BEA\n                 locks the account/node for 15                                                     policy (account lockout was not enabled).\n                 minutes, when the maximum\n                 number of unsuccessful attempts\n                 is exceeded.\n\nAU-2             The information system generates                                                  Assessment of BEA policy found that it addressed the NIST SP\nAuditable        audit records for the following                                                   800-53 minimum requirements for this control.\nEvents           events: [Assignment: organization-   \n\n                 defined auditable events].                                                        An assessment of selected system components revealed that\n                                           \n\n\n\n\n\n                                                                                                   audit and logging policy are not uniformly implemented\n                                                                                                   throughout the information system.\n\n                                                                                                   Four of        Windows components assessed were not\n                                                                                                   compliant with BEA policy.\n\n                                                                                                   One of the         devices assessed was not configured\n                                                                                                   according to BEA policy requirements.\n\n\n\nIA-2             The information system uniquely                                                   An assessment of a variety of components implementing this\nUser             identifies and authenticates users                                                security control indicated that the implementation is not\nIdentification   (or processes acting on behalf of                                                 consistent system-wide and some components are not enforcing\nand              users).                                                                           authentication policy as required by BEA policy.\nAuthentication\n                                                                                                   Two of      Windows components assessed did not have\n                                                                                                   minimum password length set to 8 characters.\n\n\n\n\n                                                                              Page 20\n\x0c                                                                  OIG FY 2008 FISMA Assessment\n\n\n\nTable 5: Summary Comparison of Results from OIG Control Assessment and BEA Security Certification.\n\nControl          Control Requirement                    BEA\xe2\x80\x99s Security Assessment Report         OIG Assessment Result (Summary)\n                                                        (SAR)\nIA-5             The organization manages                                                        An assessment of a variety of components implementing this\nAuthenticator    information system authenticators                                               security control indicated that the implementation is not\nManagement       by:                                                                             consistent system-wide and some components are not enforcing\n                 (i) Defining initial authenticator                                              authentication policy as required by BEA policy.\n                 content;\n                 (ii) Establishing administrative                                                Two of         Windows components are not enforcing password\n                 procedures for initial authenticator                                            history or minimum password age requirements.\n                 distr bution, for lost/compromised,\n                 or damaged authenticators, and                                                  An additional Windows component had more stringent maximum\n                 for revoking authenticators.                                                    password age settings (42 days) than BEA Windows Security\n                 (iii) Changing default                                                          standard\xe2\x80\x94which raises a question about implementation of the\n                 authenticators upon information                                                 standard across all devices.\n                 system installation.\n                 (iv) Changing/refreshing\n                 authenticators periodically.\nSI-3             The information system                                                          Of the   components we examined, 12 had virus signatures that\nMalicious Code   implements malicious code                                                       were out-of-date, with most being at least 60 days old.\nProtection       protection.\n\n\n\n\n                                                                            Page 21\n\x0c                                                              OIG FY 2008 FISMA Assessment\n\n\n\nTable 5: Summary Comparison of Results from OIG Control Assessment and BEA Security Certification.\n\nControl         Control Requirement                 BEA\xe2\x80\x99s Security Assessment Report         OIG Assessment Result (Summary)\n                                                    (SAR)\nCM-6            The organization develops,                                                   An assessment of a variety of components implementing this\nConfiguration   documents, and maintains a                                                   security control indicated that the implementation is not\nSettings        current baseline configuration of                                            consistent system-wide.\n\n\n\n\n                                                                                                                      \n\n                the information system.\n\n\n\n\n                                        \n\n                                                                                                   components:\n\n\n\n\n                                                                                                                  \n\n                                                                                             Secure configuration baselines are well-documented for\n                                                                                             components. Assessment of the running configurations revealed\n                                                                                             that some settings for logging were not in place for some network\n                                                                                             components\xe2\x80\x94running\n                                                                                                                                            One       router\n                                                                                             and one        firewall had security settings that were not\n                                                                                             compliant with BEA-defined settings.\n\n                                                                                             Windows Components (Including          ):\n\n                                                                                             Category I findings not addressed by or in conflict with BEA\n                                                                                             Windows Security Standards.\n\n\n\n\n                                                                                             In addition, our Gold Disk results revealed    unique Category II\n                                                                                             and 29 unique Category III findings exist on one or more of the\n                                                                                             12 windows components assessed with the Gold Disk tool.\n\n                                                                                             NOTE: The Category II & III findings are raw results and may\n                                                                                             have false positives counted in these figures.\n\n\n\n\n                                                                        Page 22\n\x0c                                    OIG FY 2008 FISMA Assessment\n\n\nAppendix A: Objectives, Scope, and Methodology\n\nTo meet the FY 2008 FISMA reporting requirements, we evaluated the BEA certification and\naccreditation for the Estimation Information Technology System (BEA-EITS, or BEA-015).\nSecurity certification and accreditation packages contain three elements, which form the basis of an\nauthorizing official\xe2\x80\x99s decision to accredit a system.\n\n    \xe2\x80\xa2   The system security plan describes the system, the requirements for security controls, and\n        the details of how the requirements are being met. The security plan provides a basis for\n        assessing security controls and also includes other documents such as the system risk\n        assessment and contingency plan, per Department policy.\n    \xe2\x80\xa2   The security assessment report presents the results of the security assessment and\n        recommendations for correcting control deficiencies or mitigating identified vulnerabilities.\n        This report is prepared by the certification agent.\n    \xe2\x80\xa2   The plan of action & milestones is based on the results of the security assessment. It\n        documents actions taken or planned to address remaining vulnerabilities in the system.\n\nCommerce\xe2\x80\x99s IT Security Program Policy and Minimum Implementation Standards requires that C&A\npackages contain a certification documentation package of supporting evidence of the adequacy of\nthe security assessment. Two important components of this documentation are:\n\n    \xe2\x80\xa2   The certification test plan, which documents the scope and procedures for testing\n        (assessing) the system\xe2\x80\x99s ability to meet control requirements.\n    \xe2\x80\xa2   The certification test results, which is the raw data collected during the assessment.\n\nTo evaluate the C&A package, we reviewed all components of the package and interviewed BEA staff\nto clarify any apparent omissions or discrepancies in the documentation and gain further insight on\nthe extent of the security assessment. We give substantial weight to the evidence that supports the\nrigor of the security assessment when reporting our findings to OMB.\n\nIn addition, we performed our own security control assessments on BEA-EITS and compared our\nresults with BEA\xe2\x80\x99s certification test results. We chose a subset of the control requirements specified in\nNIST SP 800-53, and a subset of assessment procedures from NIST SP 800-53A, Third Public Draft.\nWe tailored the procedures to BEA\xe2\x80\x99s specific control implementations. We did not attempt to perform\na complete assessment of each control; instead we chose to focus on specific aspects of some of the\nmore important technical and operational controls.\n\nWe assessed controls on key classes of IT components, choosing a targeted set of components from\neach class that would allow for direct comparison with BEA\xe2\x80\x99s certification test results while also\ntargeting specific components that BEA did not test. We assessed control implementations on:\nWindows components                                                                                  ,\n        ), and          devices                                                   . In addition, we\nexamined the security plan descriptions, including related policy documents, and interviewed\nappropriate BEA personnel.\n\nBecause of the importance of BEA\xe2\x80\x99s economic products, we adapted our assessments to minimize\nthe impact on system operations. As a result, some assessments could not be performed on certain\nsystem components. For example, assessments involving the creation, modification, or deletion of\nuser accounts on routers, firewalls, and switches were not performed. Our assessments included the\nfollowing activities:\n\n    \xe2\x80\xa2   Extraction, examination, and verification of system configurations\n    \xe2\x80\xa2   Generation of system events and examination of system logs\n\n                                                 Page 23\n\x0c                                    OIG FY 2008 FISMA Assessment\n\n\n    \xe2\x80\xa2\t   Execution of DISA scripts (Gold Disk)\n    \xe2\x80\xa2\t   Examination of user and group authorizations\n    \xe2\x80\xa2\t   Addition, modification, and deletion of operating system accounts\n\nOur assessment was limited in scope and should not be interpreted as the comprehensive review that\na security certification for a moderate impact system would require. However, our assessments gave\nus direct evidence of the status of select aspects of important controls in BEA-EITS and provided\nmeaningful comparison to the BEA security certification.\n\nWe used the following review criteria:\n   \xe2\x80\xa2\t Federal Information Security Management Act of 2002 (FISMA)\n   \xe2\x80\xa2\t U.S. Department of Commerce, IT Security Program Policy and Minimum Implementation\n      Standards\n   \xe2\x80\xa2\t NIST\xe2\x80\x99s Federal Information Processing Standards (FIPS)\n           o\t Publication 199, Standards for Security Categorization of Federal Information and\n                Information Systems\n           o\t Publication 200, Minimum Security Requirements for Federal Information and\n                Information Systems\n   \xe2\x80\xa2\t NIST Special Publications:\n           o\t 800-18, Guide for Developing Security Plans for Information Technology Systems\n           o\t 800-37, Guide for the Security Certification and Accreditation of Federal Information\n                Systems\n           o\t 800-42, Guideline on Network Security Testing\n           o\t 800-53, Recommended Security Controls for Federal Information Systems\n           o\t 800-70, Security Configuration Checklists Program for IT Products\n\nWe conducted our evaluation in accordance with the Inspector General Act of 1978, as amended, and\nthe Quality Standards for Inspections issued by the President\xe2\x80\x99s Council on Integrity and Efficiency in\nJanuary 2005.\n\n\n\n\n                                                Page 24\n\x0clt~~BEA\nBUREAU OF ECONOMIC ANALYSIS\n          I       (         (\n                                                                     .s. Department      of Commerce\n                                                                    Economics and tatistlcs Administration\n\n\n\n\nAugust 12, 2008\n\nMEMORANDUM TO:                  Judith J. Gordon\n                                Assistant Inspector General for Audit and Evaluation\n                                Office of Inspector General\n                                Department of Commerce\n\nFROM:                           J. Steven Landefeld     Os"\xc2\xad\n                                Director            /\n\nSUBJECT:                        Bureau of Economic Analysis\n                                FY2008 FISMA Assessment ofBEA Estimation\n                                Information Technology System\n                                Draft Inspection Report No. OSE-19001\n\nThank you for your recent draft assessment report of BEA\'s Certification and Accreditation\npackage. In reference to your findings and recommendations:\n\nFinding/Recommendation #1: The system security plan provided an adequate basis to conduct\nthe security certification.\n   Response: We have worked hard on our comprehensive security plan, which forms the\n   foundation of our security program, and would appreciate any suggestions that you may have\n   for further enhancements.\n\nFinding/Recommendation #2: BEA needs to improve its security control assessment to assure\nthat controls are implemented as intended.\n   Response: The private sector contractors that we have used for the FISMA-required external\n   assessments of our security controls have come to us with good recommendations. However,\n   we would appreciate OIG\'s assistance in finding consultants who can be more successful in\n   producing the more rigorous documentation that you detailed for these external assessments.\n\nFinding/Recommendation #3: BEA needs to correct its process for tracking and reporting\nsecurity weaknesses.\n    Response: BEA carefully tracks, tests, schedules, and implements all security requirements;\n    however, as noted in the OIG report our process has not included provisions for assuring that.\n   this information is filed with, and made available to, the Department\'s OCIO through Plans\n   of Actions and Milestones (POA&Ms).\n\nFinding/Recommendation #4: Assessment ofselected BEA security controls found weaknesses in\nthose controls that BEA \'s certification did not.\n    Response: The Bureau continuously monitors the effectiveness of our security controls. Our\n    first priority is the protection of critical market sensitive and company confidential data. As\n    a result we had devoted the bulk of our scarce resources to protecting that core data.\n\n\n\n        1441 L   treet NW       Washington. DC 20230     p.202.606.9900        www.bea.gov\n\x0c   However, we understand the importance of protecting the entire system, and are expanding\n   the scope of our continuous monitoring program to ensure coverage of all system\n   components.\n\nAttached documents contain specific comments, and detail actions taken, in response to your\nreport. BEA appreciates your recommendations and we are using them to further improve the\nBureau\'s IT security program.\n\nAttachments\n\n\ncc: Rosemary Marcuss, Suzanne Hilding, Brian Callahan\n\x0c\xc2\xb7\xc2\xb7r..BEA\n~~I\nBUREAU OF ECONOMIC ANALYSIS\nU.S. DEPARTMENT OFCOMMERCE\n                                                                     u.s. Department of Commerce\n                                                                     Economics and Statistics Adntinislration\n\n\n\n\nAugust 11, 2008\n\n\nMEMORANDUM TO: \t               J. Steven Landefeld\n                               Director\n\nFROM:          \t               Brian Callahan\n                               Chief Information Officer\n\nSUBJECT: \t                     Bureau of Economic Analysis\n                               FY2008 FISMA Assessment of BEA Estimation\n                               Information Technology System\n                               Draft Inspection Report No. OSE-19001\n\nI reviewed the FISMA Assessment of the BEA Estimation Information Technology System. The\nrecommendations in the report will serve to further strengthen BEA\xe2\x80\x99s IT security continuous\nmonitoring program. The program is designed to mitigate new and ongoing threats to integrity\nand availability of the system.\n\nBEA has addressed most of the points that were raised in the draft report. Specifically:\n\n   \xe2\x80\xa2\t We have increased the scope of our continuous monitoring program, with special\n      emphasis on the NIST SP 800-53 technical control families. All tests, examinations, and\n      interviews are performed by an independent contractor who reports directly to BEA\xe2\x80\x99s\n      CIO. Test results are thoroughly documented with clear and appropriate artifacts. For\n      each control family a Security Assessment Report is prepared for AO review and action.\n      In addition the contractor performs random inspections of security defenses to ensure that\n      they are performing as specified in BEA\xe2\x80\x99s Security Plan.\n\n   \xe2\x80\xa2\t Although not required               impact system, the Bureau had a team of\n      independent contractors conduct a penetration test on BEA\'s information technology\n      infrastructure. The team was unable to penetrate BEA\xe2\x80\x99s local area network but did\n      provide some recommendations related to the external infrastructure which were\n      promptly implemented.\n\n   \xe2\x80\xa2\t BEA continues to move forward in developing a standard configuration standard for\n      Windows          servers. BEA utilizes the Defense Information Security Agency\xe2\x80\x99s (DISA)\n      \xe2\x80\x9cGold\xe2\x80\x9d as a secure configuration benchmarking tool. As the DISA documentation clearly\n      states, each setting must be thoroughly tested before implementation in a production\n      environment. BEA produces critical economic estimates such as Gross Domestic Product\n      (GDP) monthly. BEA\xe2\x80\x99s risk-based secure implementation plan was designed with twin\n      goals: benchmark and configure our most valuable assets first, and minimize the\n      possibility of disruption in the ongoing statistical production process. Configurations for\n\n\n\n        1441 L Street NW   \xe2\x80\xa2   Washington, DC 20230   \xe2\x80\xa2    p.202.606.9900   \xe2\x80\xa2   www.bea.gov\n\x0c       servers on BEA\xe2\x80\x99s Local Area Network which process our market sensitive and company\n       confidential data were benchmarked and configured early in the process. We are now\n       benchmarking less sensitive servers. This risk-based approach is reflected in the report\n       where it is noted that some servers did not conform to our standard. In accordance with\n       the report recommendation BEA has developed a Plan of Action and Milestones for\n       completing this work across all servers.\n\n   \xe2\x80\xa2\n\n\n\n\nBEA is a small operating unit. To ensure the independence of the process BEA hires private\nsector firms to perform the certification of the BEA Information Technology Estimation System.\nPast successful performance has been the heavily weighted criterion in the vendor selection\nprocess. Unfortunately these vendors have not met the documentation expectations of the OIG.\nOur experience is that what is considered acceptable documentation varies greatly across\nagencies. BEA is determined to meet all applicable expectations and looks forward to working\nwith the OIG and DOC CIO in developing written standards and a list of vendors whose work\nhas met these standards. BEA has consistently volunteered to be an early implementer of the\nCSAM system. We believe that this system is a positive step in developing a standard approach\nto building system certification documentation packages.\n\nBEA\xe2\x80\x99s IT staff benefited from the technical insights gained by working with the OIG reviewers.\nHopefully we were able to provide the reviewers some insight as how the NIST InfoSec\nguidelines apply within a very operational/production-orientated technology environment.\n\nAttached is a table that reflects the updated status of actions recommended in the draft report.\nBEA looks forward to discussing our continuous monitoring program with the OIG.\n\nAttachment\n\x0cStatus of action items to address OIG recommendations\n\nSynopsis of            OIG Recommendation                         Status of Action Item to Address Recommendation\nFinding\n1. System security     1.1 Document secure configuration\nplan provided an       baselines with BEA\xe2\x80\x99s rationale for\nadequate basis to      deviating from the benchmarks as\nconduct the security   appropriate.\ncertification.\n\n\n\n\n                       1.2 Update secure configuration\n                       baseline for  using the most current\n                       DISA benchmark available.\n\n2. Security            2.1 Ensure all control assessments are\ncertification lacked   supported by credible evidence to\ncredible supporting    validate the assessment results.\nevidence for           2.2 Ensure evidence shows that all\ntechnical security     applicable aspects of a control and an\ncontrol                appropriate sample of components\nassessments.           implementing it have been assessed.\n                       2.3 Ensure assessment procedures\n                       and results include specific information\n                       about the implementation of the control\n                       and steps taken to assess it.\n3. Vulnerabilities     3.1 Comply with Department policy and\n\x0cwere not included in      guidance in tracking and correcting\nthe security              system security deficiencies.\nassessment report         3.2 Create POA&Ms to address the\n(SAR) or identified in    Windows vulnerabilities described in\nPOA&Ms.                   the OIG report.\n                          3.3 Explain vulnerabilities in SARs\n                          according to guidance found in NST\n                          SP 800-37.\n\n\n                          3.4 Articulate the vulnerabilities for\n                          which the bureau is accepting risk.\n                          Unimplemented secure configuration\n                          settings should be addressed in the\n                          SAR as well as the accreditation\n                          decision letter. If BEA chooses to\n                          redefine its secure baseline, that\n                          document should be updated with\n                          appropriate risk rationale.\n\n\n\n\n4. OIG assessment         4.1 Ensure deficiencies the OIG\nof selected security      identified are added to the system\xe2\x80\x99s\ncontrols found            POA&M and remediated in a timely\nsignificant               manner.\nweaknesses not\nidentified by the BEA\nsecurity certification.\n\x0c4.2 Ensure control assessments are\nimproved through tailored procedures\nand well-supported results which\nprovide a transparent view of the status\nof controls.                               .\n\n\n\n\n                                               \n\n\x0c                                 OIG FY 2008 FISMA Assessment\n\n\n\nAppendix C: Assessment of Selected Security Controls\n\nA compact disk containing the procedures we used to assess security controls implemented on\nselected system components from the Estimation Information Technology System was provided to\nBEA. The disk also included our assessment results, analysis, and supporting evidence.\n\n\n\n\n                                            Page 25\n\x0c'